World

Global Cyberattack Used Spam Twitter Accounts

A complex new cyberespionage campaign targeting governments and diplomatic agencies across the world has been uncovered by two online security companies. The attacks are particularly unusual, since the hackers are using old-school techniques and at the same time taking advantage of an Adobe Reader exploit and even fake Twitter accounts to spread the malware.

Researchers at Kaspersky noted that the attack is unusual and extremely complex, and the perpetrators are unknown at this point. "The guys who created this backdoor, they are really good professionals, and they are not your average APT1 Chinese hacker," said Costin Raiu, a Kaspersky Labs senior security researcher, referring to the Chinese hackers unmasked last week.

Whoever the hackers are, they used a complex, multi-stage attack to spread MiniDuke. First they sent an email containing a well-crafted malicious PDF attachment that purported to be about either human rights seminars, or Ukraine's plans to become a member of NATO. For every attack, the hackers drafted slightly different PDFs to increase the chances that the targets would think they were legitimate documents. This initial attack took advantage of a 0-day exploit in Adobe Reader discovered by FireEye.

Once the victim opened the PDF, a computer-specific (and thus hard to detect) backdoor would be installed on the computer. The backdoor would then scan Twitter for pre-set fake accounts that post bogus, encrypted messages, like the one below. If Twitter isn't working or the accounts have been deleted, the virus has a backup plan to use Google Search to find the encrypted strings.

The malware then decrypts the string of characters and connects to a command-and-control server to download yet another backdoor hidden within a GIF file. At that point MiniDuke connects to one of two servers in Panama and Turkey where it fetches a final backdoor that actually carries out the cyberespionage attack.

The researchers have yet to find out what the fourth and final stage of the attack does to targeted computers, but Raiu speculates that "it could do pretty much anything," much like Red October, which was designed to harvest a wide array of files.

All these steps and series of backdoors were put in place to mask the identity and origin of the attacks, said Raiu, which is why at this point, no one really know who is behind MiniDuke.

The most unusual thing about these attacks, which started gaining steam on February 20, is that they use hacker techniques from the 1990s that are reminiscent of a famous and mysterious group of hackers called 29A. The group started its activities in the mid-90s, coding and creating viruses mostly for fun, and then documenting their exploits in an e-zine.

More bizarrely, MiniDuke's code contains references to Dante's Divine Comedy, and it also hides a clue: the number 666, which in hexadecimal translates to "0x29A".

"We've been wondering for a long time: What happened to the hackers from the old days that were creating this super advanced polymorphic viruses?" asked Raiu, in a Skype interview with Mashable. "What we're seeing here perhaps is a return of these hardcore assembler hackers just like the guys from the 29A group."

Raiu said, however, that it's impossible to know if the perpetrators of this sophisticated campaign are the actually same hackers. In fact, neither Kaspersky nor CrySyS researchers were comfortable speculating who they are. "It's a new threat actor that we haven't seen before," said Raiu. Could they be Chinese? "There is no indication whatsoever anywhere that China is involved in this attack."

The hackers were very good at leaving no trace of their origin, and it's hard to know who they are even from their targets since, as Raiu said, "the people behind these attacks kind of have a grudge on the whole world, they don't make any kind of distinctions." Among their targets are government agencies and embassies in Belgium, Portugal, Ireland, Czech Republic and Romania. In the United States, the victims were two influential think-tanks, a research institute and a big health-care provider.

The researchers refused to provide more details on the targets, but noted that they seem awfully similar to the type of victims that Red October, another cyberespionage campaign uncovered in January, was going after.

"Could it be that the Red October guys are now back in business using a slightly different scheme?" Raiu said. "It's possible, but once again we don't see any connections to Red October so far, except for the fact that the victims appear very similar."

Raiu is asking for help to the online community to help find other fake Twitter accounts being used by the hackers. The key, Raiu said is to look for a string of characters that begins with "uri!wp07Vkkx" and it's then followed by more random gibberish.

Mashable
is a global, multi-platform media and entertainment company. Powered by its own proprietary technology, Mashable is the go-to source for tech, digital culture and entertainment content for its dedicated and influential audience around the globe.